To the cloud? Better check your security arrangements

One might think that private cloud services would be more secure than public cloud services because the former are designed to serve a single enterprise, whereas the latter are open to the public. But in a column in Health Data Management, an intellectual property expert says that no valid comparisons have been made between the security of private and public clouds. Moreover, writes John Pavolotsky of the Greenberg Traurig law firm, such comparisons would be impossible because most public cloud vendors do not disclose their security arrangements.

This will not be good news to healthcare providers who are considering using cloud-based services. In a recent KLAS study, the research firm attributed the wariness of many hospitals about using the cloud to concerns about reliability and security.

At least breaches in public clouds become visible, sooner or later, because someone will point them out on other websites, Pavolotsky notes. But the cloud firms do not take responsibility for such incidents.

"Regardless of whether the cloud vendor (private or public) was responsible for a breach, the cloud customer is ultimately responsible for the security of their customers' data that has been entrusted to the cloud provider," he writes.

A recent InformationWeek article confirms that cloud providers do not take soup-to-nuts responsibility for delivering services, platforms or infrastructures. A website that processes credit cards and has PCI-DSS certification, for example, must meet high security requirements in its data center.

"However, it's still the customer's responsibility to document how they protect the application, how security patches are applied to the operating system, whether data is encrypted in flight, or what ports are open to the outside world," according to the article.

How this might apply to, say, cloud-based image sharing applications is unclear. This is one area of healthcare that has been moving to the cloud at a rapid rate, because of the low cost of cloud-based storage and because the method allows images to be shared among providers in a vendor-neutral manner. Among the public cloud vendors in this field are Dell and Siemens, which recently launched a joint offering for hospitals; Merge Healthcare; and AT&T and Accenture.

Private clouds are usually designed for enterprises, and private-cloud vendors are often willing to negotiate security arrangements. But some private clouds stretch the definition by including a large number of unrelated providers. For example, the Colorado Telehealth Network includes more than 200 providers across Colorado that use the private cloud-based broadband network for telemedicine, remotely hosted EHRs and connectivity to the CORHIO health information exchange. 

To learn more:
- read the Health Data Management column
- see the InformationWeek article
- check out this InformationWeek piece about cloud offerings from the Colorado Teleheath Network